Well, in 99% of cases, it is. You open a special window in your chosen web browser, and use it for stuff you’d much rather wasn’t stored in your browsing history. When you’re finished, simply close it, and everything will be forgotten.

Except, that isn’t always the case. There are several ways in which private browsing can be defeated. Some of them don’t even need all that much work.

Nvidia GPUs Never Forget

Two years ago, Canadian student Evan Andersen fired up Diablo III after an evening spent watching adult videos. But instead of seeing the popular hack-and-slash role playing game, he ended up seeing the raunchy movies he’d been watching earlier.

“When I launched Diablo III, I didn’t expect the pornography I had been looking at hours previously to be splashed on the screen. But that’s exactly what replaced the black loading screen. Like a scene from Hollywood, the game temporarily froze as it launched, preventing any attempt to clear the screen.”

An Electrical and Computer Engineering Student, Andersen immediately knew something was amiss. Not least because he’d been looking at YouPorn through the supposed shield of Google’s Incognito Mode. So, he started digging.

It turns out, there’s a serious flaw with how Nvidia’s graphics drivers handles memory. On his blog, Andersen says:

“When the Chrome incognito window was closed, its framebuffer was added to the pool of free GPU memory, but it was not erased… When Diablo requested a framebuffer of its own, NVIDIA offered up the one previously used by Chrome. Since it wasn’t erased, it still contained the previous contents. Since Diablo doesn’t clear the buffer itself – as it should – the old incognito window was put on the screen again.”

This uniqueness comes from a series of calculations which take into account various attributes of the computer. Everything from the GPU configuration, to the browser, to what plugins are installed, makes up the token.

The Man in the Middle Sees Everything

Incognito Browsing is only really effective within the browser. Once the packet leaves your computer, and starts to snake its way through the vast expanse of the Internet to its eventual destination, all bets are off.

If someone’s sitting on the same local network as you, they can intercept your traffic in real-time. The software required to do isn’t especially exotic. It’s just Wireshark.

There’s a few things you can do to mitigate against this. Firstly, install the HTTPS Everywhere pluginEncrypt Your Web Browsing With HTTPS Everywhere [Firefox]Encrypt Your Web Browsing With HTTPS Everywhere [Firefox]HTTPS Everywhere is one of those extensions that only Firefox makes possible. Developed by the Electronic Frontier Foundation, HTTPS Everywhere automatically redirects you to the encrypted version of websites. It works on Google, Wikipedia and...Read More, available for Chrome and FireFox. As the name suggests, this forces SSL connections where possible. While it’s not a sure-fire solution, it helps. It’s worth noting that HTTPS Everywhere can have some adverse effects on some websites. I know that on this particular website, it can introduce some visual glitches.

Malware and Browser Extensions

I’m going to briefly touch on the software side of how Incognito mode can be defeated. Partly, because much of it is obvious. If your computer is a festering slag-heap of malware and viruses, no amount of Incognito Mode will keep you secure.

One potential attack vector against incognito mode is through browser extensions. If you’re using an extension that records what you do online, and you activate it in Incognito mode, you undermine any privacy advantages that you get from using incognito mode.

Incognito Mode: Know Your Limits

Incognito mode is great if you want to browse the Internet without leaving a trace, locally. But remember that it’s not a sure-fire way to stay shrouded online. It can be undermined quite easily; from a dodgy GPU driver, to a rogue Chrome extension, to even a man in the middle attack.

Has private browsing ever let you down? Tell me about it in the comments below.

I used to think I was doing at least an above-average job controlling when the sites I visited saw my location. That it until 4 minutes ago while using my Galaxy S5, using Google Chrome version 57.0.2987132, within an incognito window, WITH LOCATION SERVICES OFF, when Leafly.com informed me there was no Durban Poison to be found in my city. Of course not...I was merely researching for a friend whose girlfriend wanted to know about what her cousin was talking about, duh. My next search was to hopefully find a discussion kind of like this one. But seriously, WTF!? Maybe I'm a "conspiracy theorist," but I have this "idea" my government has a direct-fiber optic tap into our entire communications infrastructure, and it is an impossibillity to be "incongnito, but come on Google! You could at least do a better job of helping think that someone is looking out for the sheep and not strengthening the chains of control we already have to endure. Alright, back to my research....

It is right, just using private browsing is not enough. Even if your browsing history is not available you are still giving much data to advertisers. It's better to make a combo with tools like Ivacy VPN to be completely anonymous on the internet while browsing.

I use an add-on that “self-destructs” cookies when I leave a page; it enables an easier experience while I am on the page, but without traces remaining for later data-mining. It also clears out LSOs when I end the browser session. Because I am a bit obsessive*, I also have NoJava enabled, so I approve each piece of JavaScript on each site I go to (one can also set it up to allow JS from bookmarked pages, or white list frequently used sites).
*I joke about having CDO—Obsessive-Compulsive Disorder, properly alphabetized! (I know, politically incorrect, but I am more obsessive than average!)

Matthew Hughes is a software developer and writer from Liverpool, England. He is seldom found without a cup of strong black coffee in his hand and absolutely adores his Macbook Pro and his camera. You can read his blog at http://www.matthewhughes.co.uk and follow him on twitter at @matthewhughes.